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ABSTRACT 

The verification and validation of cyber-physical systems is 
known to be a difficult problem due to the different model- 
ing abstractions used for control components and for soft- 
ware components. A recent trend to address this difficulty 
is to reduce the need for verification by adopting correct-by- 
design methodologies. According to the correct-by-design 
paradigm, one seeks to automatically synthesize a controller 
that can be refined into code and that enforces temporal 
specifications on the cyber-physical system. In this paper we 
consider an instance of this problem where the specifications 
are given by a fragment of Linear Temporal Logic (LTL) and 
the physical environment is described by a smooth differen- 
tial equation. The contribution of this paper is to show that 
synthesis for cyber-physical systems is viable by considering 
a fragment of LTL that is expressive enough to describe in- 
teresting properties but simple enough to avoid Safra's con- 
struction. We report on two examples illustrating a prelim- 
inary implementation of these techniques on the tool Pes- 
SOALTL. 

1. INTRODUCTION 

The correct-by-design, or controller synthesis, paradigm of- 
fers a compelling alternative to current system design method- 
ologies relying on extensive testing and/or verification to 
prove correctness. Intuitively, synthesis is the problem of al- 
gorithmically constructing an implementation from a given 
specification of the desired functionality and performance, 
and a partial model of the system. Controller synthesis has 
been studied in various forms in different communities, dif- 
fering in the form of the model and the specification. For 
example, in continuous control theory, the partial model is 
the open loop plant 

x = f(x,u), 

and the controller is a feedback function u — k(x) such that 
the controlled system x = f(x, k(x)) satisfies certain sta- 
bility and performance criteria. Similarly, in (discrete) re- 
active synthesis, the partial implementation is usually an 



input-enabled, unconstrained automaton, the specification 
is given as a temporal logic formula capturing the good be- 
haviors of the system, and the controller is an automaton 
ensuring that its product with the partial implementation 
only generates good behaviors. 

Over the past decades, there has been a convergence of 
control-theoretic methods with automata-theoretic ones, in 
order to model hybrid or cyber-physical systems in which 
discrete components interact with continuous ones. These 
systems are often complex yet safety-critical, and thus, the 
application of program synthesis techniques — as opposed to 
the current practice of design and extensive verification and 
validation — is likely to have a large impact. However, there 
are some key technical challenges that have to be overcome 
in order to apply synthesis to this domain. 

First, we have to abstract the underlying continuous state 
space into discrete parts so that reactive synthesis techniques 
can be applied. Moreover, such abstractions need to be con- 
structed in such a way that a controller designed for the 
abstraction can be refined to a controller enforcing the spec- 
ification on the original continuous model. 

Second, the specification language must be expressive enough 
to capture many properties of interest in the domain. In the 
reactive synthesis world, linear temporal logic (LTL) 19 (or 
equivalently, automata over infinite words [29]) is usually 
considered as a robust and expressive specification formal- 
ism. Synthesis algorithms based on deep automata-theoretic 
constructions (5} [23j [18} [20j [21} [12] are well-known for this 
formalism. Unfortunately, these algorithms have very high 
theoretical and practical complexities. Theoretically, the 
problem is complete for 2EXPTIME. Moreover, Safra's de- 
terminization construction [25], a key step in the algorithms, 
is extremely difficult to implement, and the best implemen- 
tations so far can only handle small automata. This has 
limited the possibility of practical synthesis tools. 

In this paper, we present PessoaLTL, an automatic syn- 
thesis tool for cyber-physical systems. PessoaLTL takes as 
input a controlled differential equation modeling the phys- 
ical components, a specification consisting of two parts: a 
safety part in safe- LTL and an easily determinizable liveness 
part, and a parameter e specifying the desired precision, and 
outputs, if possible, a software controller that ensures that 
the model together with the controller satisfies the specifica- 
tion up to precision e (in a technical sense). The controller 



is refined to Simulink blocks for closed-loop simulation. 

We overcome the two challenges mentioned above in the fol- 
lowing way. First, we use recent techniques reported in [22| 
33 17 to compute discrete abstractions of the differential 



equation model of the underlying continuous state space. 
Second, we use a restricted subset of LTL for our speci- 
fication language, chosen to be expressive enough to nat- 
urally capture many requirements that frequently arise in 
cyber-physical systems design, and yet enabling controller 
synthesis without Safra's construction (or the manipulation 
of co-Biichi tree automata [12| ). 

Our choice of the specification formalism is driven by our 
observation that many specifications for controller synthe- 
sis problems in embedded systems and robotics essentially 
consist of an "involved" safety part (stating that the system 
should always remain in "safe" states) and a "simple" liveness 
or guarantee part (stating that eventually the system should 
reach a special set of states). For example, a typical require- 
ment in robotic applications is to reach a goal state while 
avoiding obstacles. A typical problem in control is to force 
a system to move between different operating points while 
staying within a desired operational envelope. This occurs, 
e.g., when we press a button in an elevator requesting that 
we reach a different floor while maintaining the elevator ve- 
locity and acceleration within certain limits for safety as well 
as comfort reasons. Accordingly, our specification language 
consists of two parts: a safety part in safe LTL, and a guar- 
antee part given as an until formula. We use the fact that 
automata for safe LTL can be determinized using the usual 
subset construction [13], letting us avoid Safra's construc- 
tion in the implementation. Moreover, we can symbolically 
compute maximal strategies for the safety part. In a second 
step, we can compute the strategy to ensure the guaran- 
tee part while ensuring the safety specification. Although 
our synthesis algorithms are based on enforcing a safety in- 
variant on the product of the system and the automaton 
constructed from the safe LTL formula, the use of safe LTL 
directly allows us to write specifications more naturally than 
if using invariants. 

We developed PessoaLTL as an extension of PESSOiQusing 
both the abstraction algorithms as well as a solver for safety 
games using BDDs provided by PESSOA. We report prelimi- 
nary results on the use of PessoaLTL. Drawing inspiration 
from robotics, we illustrate by two nontrivial examples how 
embedded control software synthesis problems can be au- 
tomatically solved. The first example considers the motion 
planning problem with obstacles and requires a LTL formula 
comprising both safety as well as guarantee properties. In 
the second example we consider a more detailed model for 
the robot by incorporating information about the protocol 
used to mediate between the sensors and the main proces- 
sor. Since the main processor mail fail to acquire sensor 
measurements, we consider the requirement of reducing the 
robot velocity, or even completely stopping the robot, when 
not enough measurements are acquired. While in the worst 
case, the complexity of the algorithm is still 2EXPTIME 
[13] , in practice, the subset construction has not been a bot- 
tleneck. 



Related work We have already mentioned the rich history 
of reactive synthesis using automata-theoretic techniques. 
Work on the synthesis problem for cyber-physical systems 
is quite recent. The use of finite-state abstractions of differ- 
ential equations and hybrid systems to solve synthesis prob- 
lems has been pursued by several authors [2J [9] |24| |10| |31| 
|27| . However, no new novel synthesis algorithms, at the 
automata level, are proposed in these references. 

Most tools for synthesis restrict specifications to state in- 
variants. This is mostly because automata theoretic synthe- 
sis algorithms for general LTL properties require a complex 
determinization step [25] which is hard to implement effi- 
ciently fTl|28]. 



In [14| |32] controller synthesis enforcing temporal require- 
ments on cyber-physical systems is discussed. Although dif- 
ferent synthesis algorithms are proposed in these references, 
both assume a bounded temporal horizon for the satisfac- 
tion of the property. The work |14| uses model checking 
algorithms to find the feasible set of inputs. These inputs 
are bounded, since it is based on bounded temporal horizon 
assumptions. The liveness properties with bounded hori- 
zon are examples of bounded-safe properties. The fragment 
of LTL handled by PessoaLTL includes all bounded-safe 
properties. Furthermore, PessoaLTL also supports guar- 
antee properties that require no restrictions on the time it 
takes for satisfaction. 



In |7| [8] , the authors have also restricted attention to spec- 
ification formalisms which have efficient game solving algo- 
rithms, and used such algorithms to synthesize hardware 
components. Our focus here is embedded and robotics ap- 
plications, for which our restricted specification language is 
a good fit. The abstraction of differential equation mod- 
els for the physical components is an added dimension of 
complexity in our case. 

The synthesis of switching policies for cyber-physical sys- 
tems is discussed in [6]. Although, the resulting switching 
policies enforce the desired specifications, the work in [H] as- 
sumes that the continuous dynamics in each mode is fixed. 
In contrast, our algorithms do not assume the a priory ex- 
istence of different modes with different dynamics. 

While our constructions do not introduce any new deep in- 
sight into the nature of synthesis, we believe our specification 
formalism and implemented algorithms represent a practi- 
cal sweet spot in controller synthesis for cyber-physical sys- 
tems. 

2. BACKGROUND 
2.1 Systems 

We consider the following notion of system that will be used 
to model software components as well as the abstraction of 
physical components. 



Definition 1. A system 

S={X,X ,U, 



,Y,H) 



1 Available from http: //www. cyphylab . ee .ucla. edu/pessoa. 



consists of: a set of states X; a set of initial states Xo C X; 
a set of inputs U; a transition relation — >C X x U x X; a 



set of outputs Y; and an output map H : X — > Y . 



A system is said to be finite when the set of states X is finite. 
When the set of outputs Y of a system S is equipped with 
o , we say that S is a metric system. 



a metric d : Y xY 



Metric systems will be used to formalize finite abstractions 
of differential equations in Section |2.3| 



We write x — > u x' when (x, u, x') G—>. For such a transition, 
state x' is called a u-successor, or simply successor, of state 
x. Similarly, x is called a u-predecessor, or predecessor, of 
state x' . For technical reasons, we assume that for every x 
and u, there is some x' such that x — > u x' . We denote the 
set of u-successors of a state x by Post„(:r). A system is 
said to be deterministic if (x,u, x') G — ► and (x,u,x") G — > 
implies x = x" , or equivalently, if Post u (:r) is a singleton 
for each x G X and i G U. 



A run of a system S is an infinite sequence 

Xo — > Xl — > 1 . . . 



(1) 



where xo G Xo, and for each i > 0, we have a;, — > Ui Xj+i. 
The outputs associated with the run |T]) is the trace 

H(x )H{ Xl )...e Y w . 



Given an infinite string z G Z w , we will use the notation z(i) 
to denote the ith element in the string z and the notation 
z[k] to denote the infinite string obtained from z by removing 
its first k elements, i.e., z[k](i) = z(i + k). 

The notion of system in Definition [T] allows for nondeter- 
minism in the sense that for a given state x G X and input 
u G U , there may be more than one u-successor of x. We as- 
sume that once the input u is chosen at the state x, the exact 
u-successor of x is selected from Post„(a;) by the environ- 
ment. We regard this nondeterminism as the adversarial in- 
fluence of the environment, and consider a two-person game 
between the controller (player 0) and the non-determinism 
(player 1). 

2.2 Controllers 

A strategy for the controller (player 0) in a system S 
X Xo,U,—>,Y, H) is a mapping n : (Xx U)* xX h-> U that 
associates with every non-empty finite sequence of states 
and inputs ending in X, representing the past history of the 
game, an action. A strategy for player 1 is a mapping 7Ti : 
(X xU)* x X xU i— > X that associates with every non-empty 
finite sequence of states and inputs ending in x G X and after 
action u G U has been taken, representing the past history 
of the game, a successor state x' G Post u (x). A controller 
strategy no is memoryless if the strategy depends on the 
current state only i.e., Va; G X, Vz, w G (X x U)*, no(z-x) — 
7ro(w • x). 

An initial state xo G Xo, strategy no for player 0, and n 1 for 
player 1 uniquely determine a run: 



Outcome(xo, 7Tq, 7Ti) = xq 



G (X x U) u (2) 



behavior: 

states(xo, no,n\) — xox±X2 . . . G X" 
and the corresponding outputs as: 

outputs(xo, TTo, 7Tl) = H(xo)H(x\)H{x2) . . . G Y w . 

For i G {0, f }, given an initial state x and a winning objec- 
tive <!> C Y w , we say the state x G X is winning for player-i 
if there is a player i strategy 7Tj, such that, for all player- 
(f — i) strategies 7ri_i, we have outputs(x, iro, 7Ti) G $. The 
controller synthesis problem asks, given a system S and an 
objective $ C Y u , to construct a strategy n for player 
such that every initial state xo is winning for $, that is, 
output s(xo, ir, it i) G $ for every xo G Xo and every player 1 
strategy m. In that case, ir is called a controller for $, and 
player is said to enforce <!>. 

A strategy-set (for player 0) is a function 7ro : (X x U)* x 
X — > 2 U . A strategy -kq for player is compatible with a 
strategy-set 7ro if for each z G (X x U)* and i G X, we have 
7To(z-a;) G 7ro(z-x). A strategy-set 7ro for player is winning 
for a winning objective <E> if every strategy compatible with 
7To is winning for player 0. A strategy-set no is maximal 
for $ if it is winning for $ and every winning strategy of 
player for $ is compatible with n. A strategy-set 7To is 
memoryless if it only depends on the final state and not 
the history of the play. As with strategies, we represent a 
memoryless strategy-set as a function no : X — > 2 U . 

As an example, let Z C Y and consider the property $ to 
be the set of traces Z u . This is called a safety game, and 
player wins this game from x if she has a strategy no such 
that for every strategy 7Ti of player 1, outputs(x,no,n 1 ) is 
a trace consisting only of outputs in Z (the game always 
remains in Z). It is known that player has a memoryless 
maximal strategy in a safety game [34] . 

For a set X' C X, define CPre(X') = {x G X | 3u G 
U.Post u (x) C X'}. The set CPre(X') consists of all states 
from which player can force a visit to X' in one step, no 
matter how player 1 resolves the nondeterminism. One can 
solve a safety game by iterating CP re, s tarting from the set 
H~ 1 (Z), until a fixpoint is reached 
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34 



where for k > 0, we have Uk = 7ro(a;o, • ■ • , Xk), and xu+i ~ 
ni(xo, . . . ,x k ,u k ). Based on |2| we define the infinite state 



vx.H" Y {Z) n CPre(x) 

Indeed, this algorithm for solving safety games has been 
implemented in several tools, including PESSOA. 

2.3 Approximate Alternating Simulation 

In order to capture the adversarial intent of the environment, 
the notion of equivalence and pre-order used in this paper is 
that of alternating simulation. Moreover, since the results 
in [22| |33| are used to relate differential equation models of 
physical systems to finite abstractions, we consider approx- 
imate alternating simulation relations. 



Definition 2. Let S a and St be metric systems with Y a = 
Yt and let e G Rq~. A relation R C X a x X(, is an e- approximate 
alternating simulation relation from S a to Sb if the following 
three conditions are satisfied: 



1. for every x a o G X a o there exists x b0 G X b0 with (x a o, x b0 ) G 
R; 

2. for every (x a ,Xb) G R we have d(H a {x a ), Hb{xb j) < e; 

3. for every (a; a ,a;t>) G J? and for every it a G t/ a (:Eci) there 
exists ut G U b (xb) such that for every kJ, G Post„ 6 (xb) 
there exists il, G Post U(1 (:r a ) satisfying (^j^t) G R. 



We say that 5* a is e-approximately alternatingly simulated 
by S b or that Sb e-approximately alternatingly simulates 
S a , denoted by S a ^as &b, if there exists an e-approximate 
alternating simulation relation from S a to Sb- 



The results in [22 33 show that for any differential equation 
model of the physical world, it is possible to construct a fi- 
nite system S that is e-approximate alternatingly simulated 
by the differential equation. Hence, once we synthesize a 
controller for the finite abstraction, such controller can be 
refined to a controller enforcing the same specification on 
the differential equation up to an error of e. Note that e is 
a design parameter that can be made as small as desired, at 
the expense of a larger finite abstraction. In the remainder 
of the paper we will assume that we have already abstracted 
the differential equation into a finite system. The construc- 
tions of such abstractions has been implemented in the freely 
available tool PESSOA 
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3. SPECIFICATIONS 
3.1 Linear Temporal Logic 

We now review the syntax and semantics of linear-temporal 
logic (LTL) [19]. 

Definition 3. The set of LTL formulae is generated by the 
following grammar: 

p ::— p \ p V p \ p A p \ -up \ Q ip \ ip U ip \ ip\N (p 

where p is chosen from a set V of atomic propositions. 

We define shorthands true and false as shorthand for pV^p 
and p A -^p respectively. We use Op> and Oip as shorthands 
of (true U ip) and (p W false) respectively. 

An LTL formula is in negation normal form (NNF) if nega- 
tion occurs only before the atomic propositions. It is known 
that any formula can be put in NNF by applying de Mor- 
gan's laws (for Boolean operations), and the identities -i-i(p = 
^ O f = O^V 3 ! and ^(^iWi^) = ^pi\$^p2 A -xpi- The 
length \p\ of a formula pi is the number of symbols in pi and 
defined by induction on the structure of pi in a standard way. 

The semantics of LTL formulae is defined over infinite se- 
quences z G (2 P ) U ': 

• z \=p iff p € z(0)); 

• z |= —up iff z ^= ip; 

• z |= tpAip iff z |= ip and z |= ip; 

• z |= tp V ip iff z j= p or z |= ip; 



zb=0¥>iffz[l] 

z |= p U ip iff 3k > s.t. z[k] \= ip and z[j] |= tp for all 
< j < k. 

z |= p W tp iff z[i] (= p for all i G No or 3k > z[k] \= ip 
and z[j] \— p for all < j < k. 



If z |= <p, we say z satisfies p. For an LTL formula p, the 
language L(p) of all strings satisfying p is defined by: 

L(p) = {z G (2 v r I z |= p}. 



Let 5 be a system where Y = 2 V and thus maps each state 
x £ X to the set of atomic propositions that are true at x. 
We say player enforces the LTL formula p if there exists a 
player strategy ttq such that for each player 1 strategy ni 
and each xq G Xo we have that output s(xo, no, ti) satisfies 

3.2 Safe-LTL 

We now define a subset of LTL formulas that capture all 
safety properties. 

Definition 4- The set of safe-LTL formulae is generated 
by the following grammar: 

p ::= p | -^p \ pVp\pAp\Q)p\p\Np 

where p ranges over a set V of atomic propositions. 



A safe-LTL formula always defines a safety property. Intu- 
itively, a formula p defines a safety property if z y= p can be 
checked by looking at a finite prefix of z. 

Thus, reasoning about safety properties on infinite behav- 
iors can be reduced to reasoning about their finite prefixes. 
First, we recall nondeterministic finite automata as accep- 
tors of languages over finite words. A nondeterministic finite 
automaton (NFA ) is a 5-tuple A = (Q, Qo, S, 5, F), where Q 
is a finite set of states, Qo C Q is a set of initial states, F C Q 
is a set of final states, S is an alphabet, and JCQxExQis 
a set of transitions. An NFA is deterministic, written DFA, 
if |Qo| = 1 and 5 defines a total function from Q x E into 
Q. The unique successor of a state q G Q under the letter 
a G E in a deterministic automaton is denoted by S(q, a). A 
run of an NFA on a word a = ao ■ ■ ■ f n _i G E* is a sequence 

qo — ^> 9i ■ • ■ QVi-l q n such that qo G Qo and for each 

< i < n - 1 we have (qt, en, qi+i) G 5. A run is accepting 
if moreover q n G F, and we say the NFA accepts a. The 
language of an NFA is the set of all words a G E* such that 
the NFA has an accepting run on a. 

The set of bad prefixes for a safety formula p is defined by: 

Bad{p) = {z G (2 r Y | Vw G (2 P ) U z.w ^ p}. 

That is, a (finite) prefix z is bad if none of its infinite exten- 
sions z ■ w satisfies the formula p. The set of fine prefixes is 
the set of finite prefixes that are sufficient to prove that the 
computation is unsafe. We say that a set Z C Bad(p) is a 
trap for the safety language L(p) iff every word w ^ L(p) 



(a) Fine Automaton for p W q. 



(b) Determinized Version 



Figure 1: p W q 



has at least one prefix z a Z. 
L(ip) by trap(L(tp)). 



We denote all the traps for 



We say that a nondeterministic automaton is fine for ip 
iff there exists Z £ trap(L(ip)) such that L(N^) — Z. Thus, 
a fine automaton N$ may not accept all the bad prefixes, 
however it should accept at least one bad prefix of every 
computation that does not satisfy tp. 



Kupferman and Vardi [13| [If] show that an automaton fine 
for tp can be constructed from tp. The translation is based 
on the reverse deterministic automaton defined in [30]. In 
PessoaLTL we implemented the version of Kupferman and 
Vardi's algorithm reported in [l5] and presented here as Al- 
gorithm [T] This algorithm computes N v from a safe-LTL 
formula tp. It first computes the set of subformulas cl of -^tp 
by the procedure computeClosure. Since each state of the 
automaton represent whether each of the subformulas is ei- 
ther true or false in that state, the fine automaton can have 
at most 2 |cI ' states. 



Proposition I. For every safe-LTL formula ip, Algorithm^ 
constructs a nondeterministic fine automaton for tp with at 
most 2^ states. 



4. CONTROLLER SYNTHESIS 

In this section, we assume that we have already computed 
a finite abstraction, in the form of a system S, of the physi- 
cal components. PessoaLTL accepts a pair of specifications 
{iPs,<pl)- the first, ips, is a safe-LTL formula that specifies 
the safety requirements of the system, and the second, ipL, 
is a guarantee formula of the form Op that specifies that the 
goal p is eventually reached. We perform controller synthesis 
in two steps. First, we compute the maximal winning strat- 
egy for player for the safe-LTL part of the specification. 



Second, we compute a controller that ensures the guaran- 
tee property using a strategy compatible with the maximal 
strategy. 

4.1 Controller Synthesis for Safe-LTL 

For synthesizing a controller for a safe-LTL formula tp, we 
construct a deterministic automaton on finite words that is 
fine for tp. Note that Algorithm [T] may produce an NFA. 
However, determinization for NFAs over finite words uses 
the (easier to implement) subset construction. 

Theoretically, the determinization step adds one more expo- 
nential, making the complexity of the construction doubly 
exponential in the size of tp. In our practical examples, this 
double exponential behavior has not shown up. For example, 
given the fine automaton for p W q, the subset construction 



creates the deterministic automaton Figure I (b) 



Given a system 5" = (X, X , U, Y, H) and a DFA D v = 
(Q, qo,Y, S, F) fine for tp, we define the synchronous product 
S x D v = (X', X' , 17', -J-', Y', H') where 



• I' = IxQ; 

• X' = {(x,q) j x G X ,q = S(q ,H(x))}; 

• U' = U; 

• (x, q) (x',q') if x x' and S(q, H(x')) = q'; 

• Y' = Y; 

• H'((x, q)) = H(x) for each (x, q) £ X' . 



A controller enforcing <p on S can be constructed by syn- 
thesizing a controller on the synchronus product S x D v 
enforcing the specification that the system always remains 



Algorithm 1 ConstructFineAutomaton(?/>) 

ip' := NNF(-iip); cl := computeClosure(ip') 
F := {0}, Q := {0}; X := {0}, Q := {},S = {} 
while A / do 

s := Dequeue(X) 

foreach er G £ 
,' = {} 

foreach G cl do 
switch begin 

case p = q or p = -^q for g G Y: 

if p is satisfied by a, then s' := s' U {p} 

case = <f>i V 02 : 

if </>i 6 s' or 02 G s' then s' := s' U {0} 
case = 0i A 02 : 

if 0i G s' and 2 G s' then s' := s' U {0} 
case = O0i : 
if 0i G s then s' := s' U {0} 
case = 0iU02 : 
if 02 £ s' or (0i G s' and G s) 
then s' := s' U {0} 
end switch 
end for 

if ->tp G s' then Qo := Qo U {s'} 
5:=5U{( S ',a, S )} 
X := IU {/}, Q :=QU{s'} 
end for 
end while 

return A^ ne = (Q, Q , 2 V , S, F) 



in the states X x (Q \ F), i.e., that player ensures that 
no word in the language of D v is seen. This is a safety 
game where player keeps the states into an invariant set 
(X x (Q \ F)), and can be solved using existing methods by 
iterating a symbolic controllable-predecessor operator [34| 



17 . Moreover, it is well-known that player has memory- 



less maximal winning strategies in this game. 



Theorem 1. Let S = (X, Xo,U,—t,Y, H) be system and 
let Dp — (Q, Qo, Y, 8, F) be a deterministic finite automaton 
fine for the safe-LTL formula ip. For any initial state x G 
Xq, player has a winning strategy for the safe-LTL formula 
ip, if player has a memoryless winning strategy from the 
unique xo G X' to stay in X x (Q \ F) states in system 
S x D v . Moreover, player has a maximal winning strategy 
in S x D v , 



which ensures that all runs of the system stay in the states 
Xx(Q\F). 

We define the restriction of S x D v modulo -n to be the 
system (X, Xo, U, — Y, H) where x — >' u x' if x — > u x' and 
u G tv(x). That is, we restrict the actions available at a state 
to only those allowed by the maximal strategy it. 

We now consider constructing a controller for the guarantee 
part Op. We solve this by constructing a winning strategy in 
the reachability game on the product S x D v modulo 7r, the 
maximal memoryless winning strategy for the safety game. 
Again, the solution to the reachability game is constructed 
by iterating a symbolic controllable predecessor operator 34 

m 

The resulting strategy ensures that the guarantee part Op 
is enforced by player (by construction in the reachability 
game), while always maintaining the safety part (by ensur- 
ing that the strategy is compatible with ir). Together, the 
controller enforces the specification ips A (pL. 

While the current implementation of PessoaLTL only han- 
dles guarantee properties of the form Op (or some syntactic 
sugar, e.g., properties of the form piUp2 using the identity 
piUp2 = piWp2 A Op2), notice that all we need is that a 
deterministic generator for the liveness part of the specifi- 
cation is efficiently computable. For example, it is easy to 
extend the algorithm when the liveness part of the specifi- 
cation is a Biichi requirements DOp, or more generally, from 
the fragments described in [2]. 

5. CONTROLLER REFINEMENT 

The discussion so far has focused on the synthesis of strate- 
gies enforcing LTL formulas over the finite abstraction S of 
a physical system. The natural next step is to refine the con- 
troller synthesized for S to a controller enforcing the spec- 
ification on the differential equation model of the physical 
system. Typical controller implementations are done on dig- 
ital platforms, hence it is convenient to assume a periodier] 
execution of the controller implementation with period r. 
Moreover, a time discretized version of the differential equa- 
tion: 



x = f(x,u), 



x G 



u G 



(3) 



modeling the physical system being controlled can be de- 
scribed by the system S T = (X T ,X T o,U T ,—> T ,Y T ,H T ) con- 
sisting of: 



Thus, the algorithm to construct a maximal memoryless con- 
troller for a system S and a safe-LTL property ip proceeds 
as follows. First, we construct an NFA N v fine for tp. Sec- 
ond, we use the subset construction to determinize into 
a DFA D^p. Third, we construct the synchronous product 
of S with D v . Finally, we solve the safety game on S x D v 
for the winning set X X (Q \ F) and construct a maximal 
memoryless winning strategy. 

4.2 Controller Synthesis for the Guarantee Part 

Let S x D v = (X, Xo, U,—¥,Y, H) be the synchronous prod- 
uct of a system and a DFA fine for the safe-LTL tp, and let 
ir be a maximal memoryless winning strategy for player 



• X T =R n ; 

• X T o — X; 

• U T = R m ; 

• x — x' if there exists a solution £ of Q for the con- 
stant input u satisfying £(0) = x and £(t) = x . 

• Y T = X T ; 

• H T (x) — x for any x G X T . 

2 There are also considerable advantages to consider non- 
periodic implementations as in [3], however such approaches 
are outside the scope of this paper. 



The results in [22| |33| guarantee the existence of a finite 
system S and of an e-approximate alternating simulation 
relation R from S to 5 T . Note that while S T is determin- 
istic, the abstraction process introduces nondeterminism in 
S. Nevertheless, the existence of the relation R guarantees 
that any controller synthesized for S can be refined to a con- 
troller for S T - A formal description of the refined controller 
can be found in [26]. Here, we provide an informal descrip- 
tion which we believe to be more informative. Any state 
x T £ X T of the system S T is related by R to a state x G X 
in the finite abstraction S. If the strategy no dictates that 
the input u £ U should be used at the state x, then by using 
a constant input curve of duration r and value u in S T , wc 
are guaranteed to reach a state x' T £ X T that is R related to 
a state x' £ Post„(x). Hence, the refined controller consists 
in a loop performing the following steps: 



1. Acquire the current state from sensors/estimators; 

2. Identify the state in S that is related by R to the cur- 
rent state; 

3. Compute the input u given by the strategy ttq; 

4. Send the value u to the actuators and keep it constant 
for r units of time; 



5. Loop to step 1. 



This refined controller enforces the specification on S T up to 
an error e as stated in the next result. 



Proposition 2. Let S T be the time discretization of a 
differential equation governing the physical system to be con- 
trolled and let p be a LTL formula whose predicates corre- 
spond to subsets of Y T . Consider the finite abstraction S of 
S T and let R be the e-approximate alternating simulation re- 
lation from S to S T - For any strategy iro enforcing ip on S, 
the strategy iy t q obtained by refining ttq, enforces tp on S T up 
to an error of e, that is, for any environment strategy 7ri for 
S we have d(y(i), y T (i)) < e for every i £ N, for the unique 
y G outputs(x,TYo,TTi), the unique y T G outputs(x T , Wto), 
and for any (x,x T ) £ R. 

6. CASE STUDY : ROBOT CONTROLLER 

We consider a nonholonomic robot described by the follow- 
ing differential equations: 



X = v cos ( 



y = v sin f 



where (x, y) denotes the robot position and 9 its orientation. 
The inputs are v and tj and correspond to the linear and an- 
gular velocity of the robot, respectively. Using PESSOA we 
compute a finite abstraction 5* of the differential equation 
model of the robot. This abstraction is approximately alter- 
natingly simulated by the differential equation model with 
a precision of e = 0.1. In this abstraction the input v is re- 
stricted to take values in the set {0, 0.2, 0.4} while the input 
ui is restricted to take values in the set {—0.2,0,0.2}. 




Symbolic Controller Refined 



Figure 2: Closed-loop diagram in Simulink showing 
the automatically synthesized controller. 



6.1 Reachability with Obstacle Avoidance 

For every obstacle (see the blue sets in Figure |3| we con- 
struct a predicate obstaclei, i € {1, 2, 3}, that is true when- 
ever the robot is inside the set defined by the obstacle. Sim- 
ilarly, we defined the predicate target describing the target 
set represented by the red set in Figure [3] The objective 
of reaching the target set, if possible, while avoiding the 
obstacles is naturally expressed by the safe-LTL formula: 

ip = (-^(obstaclei V obstacles V obstacle^,)) W target. 

Note that <p does not require the target set to be reached. 
Such requirement can be prescribed by using instead the 
LTL formula: 

ip = (-^(obstaclei V obstacle^ V obstacle^)) U target. 

Since tp can be decomposed as: 

p — ip A O target 

we first solve the safety problem specified by ip and then we 
solve the reachability problem specified by O target. The 
synthesized controller is automatically refined to a Simulink 
block in PESSOA, see Figure[2j in order to simulate the closed- 
loop behavior. In Figure |3] we show the trajectory followed 
by the robot, and in Figure [4] we show the inputs used to 
steer the robot. The yellow line represents the translational 
velocity input while the magenta line represents the angular 
velocity input. 
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Figure 3: Trajectory followed by the robot. 
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Figure 4: Input signal generated by the controller. 



6.2 Fault tolerance 

We consider the same robot as in the previous case study. 
We assume that the communication between the several sen- 
sor onboard of the robot with the microprocessor running 
the control code is governed by a protocol that reports if 
communication is successful or not. There are several rea- 
sons for unsuccessful communication such as the fact that 
the communication medium is shared among several sub- 
systems and sensor failures. We now consider a specifica- 
tion detailing how the robot should operate in case of sensor 




Figure 5: Fine-automaton for the LTL formula ([4]) 



The main microprocessor may fail to receive sensor measure- 
ments more than once. In such case the controller should 
have a strategy to protect the robot from either leaving the 
desired working area or hitting the obstacles. One possi- 
ble way of encoding this objective as a safety property is 
to require that if sensor measurements are not received two 
or more times during three consecutive control cycles, the 
robot should stop and remain at its current location. In or- 



der to formalize this property we extend the model of the 
robot so as to incorporate the previously used input as part 
of the state. Consider now the predicate stop, which is true 
(resp. false) when the input v is equal to (resp. different 
from) zero, and the predicate fail 3: 2, which is true when 
2 or more sensor measurements were not received during 3 
consecutive control cycles. Since in LTL we cannot refer to 
the past, we encode fail 3] 2 by making reference to the future 
as follows: 

fail 3 , 2 = (/ A Qf) V (Qf A O O /) V (/ A O O /)■ 



In the preceding formula / is the predicate that becomes true 
every time that the microprocessor fails to receive sensor 
measurements. The final formula can then be obtained as: 



a(fail 3l2 -> OOOstop). 



(4) 



Figure [5] shows the fine-automaton with respect to the pre- 
vious property In Figure [6] we show the inputs generated 
by the controller when the predicate / evolves according to: 

/// / /// / // //./7. 

The yellow line represents the translational velocity input 
(v) while the magenta line represents the angular velocity 
input (cj). Note that whenever the protocol returns two 
consecutive failures (/ is true twice), the input v generated 
by the controller at the next control cycle is zero. Figure [7] 
shows the closed-loop evolution of 9, x, y, u and v for the 
given fault-sequence. The colors of these state variables are 
cyan, yellow, magenta, red and green respectively. We 




Figure 6: Inputs Generated by Controller 

can easily develop more sophisticated fault tolerance require- 
ments. Let slow denote the predicate that holds true when 
v — 0.2, corresponding to half of the maximum velocity. We 
could, e.g., require that when the sensor measurements are 
not received one in three control cycles, the robot show re- 
duce its translational speed to v = 0.2. Such specification 
can be written as: 



a(fail 3 ,i -> OOO slow) 



(5) 



where fail 3 ,i captures one sensor failure in three control 
cycles: 

(/AO/AOO-/)V(-/AO/AOO/)V(/AO-/AOO/)- 

By conjoining Q with |5| we would obtain a more detailed 
requirement asking for the robot to slow down when one 
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Figure 7: States 



measurement fails in the three consecutive control cycles, 
and to stop when two measurements fail. 

Table[8]show the time and space complexity of fine automata 
for formula ip = d(fail nt k — > Q) n stop) where, k is the num- 
ber of faults in n consecutive readings. The length column 
denotes the length of nnf(-^tp). Q n (j> is a shorthand of n- 
consecutive Q applied to (j>. 



Parameters 


length 


Timc(s) 


|NFA| 


|DFA| 


n =3, k=2 


10 


0.714 


245 


10 


n=3, k=l 


10 


1.096 


253 


10 


n=4, k=l 


13 


12.690 


1045 


15 


n=5, k=l 


16 


110.026 


2717 


21 


n=6, k=l 


19 


1957.450 


7933 


28 



Figure 8: Fine Automata Size and Time to build 



6.3 Mode-switching 

In this section we consider an instantiation of the mode- 
switching problem that frequently occurs in the autonomous 
vehicles. This problem consists in defining different scenar- 
ios and specifying the desired behavior for each of those 
scenarios. In a cruise control system, for example, the nom- 
inal scenario would require maintaining a desired velocity. 
However, in the presence of rain or ice, the velocity may 
need to be reduced. Similarly, if the vehicle in front re- 
duces its speed, an automatic cruise control system would 
immediately reduce the velocity to avoid a collision. Similar 
examples of scenarios and corresponding goals can be found 
in many different application domains. To model the mode 
switching problem in LTL we consider first the template for- 
mula ifi defined as: 

scerii =>- (scerii A -^goah)\N ((scerii A goaU)\N^sceni). 

This formula is satisfied when if the scenario i happens, then 
the system should stay in scenario i state until another sce- 
nario happens. Moreover, when the syatem stays in the 
scenario i, it shoud try to reach goah states. If we have 
n pairs of scenarios and goals, we can construct a formula 
ifi and the final requirement is captured by requiring the 
conjunction of these formulas to hold for all time: 

□Oi A ip 2 A . . . A ip n ). 



To illustrate the mode switching problem in the context of 
the mobile robot example, we consider the scenario to be 
specified by a remote operator that instructs the robot to 
move to one of two locations described by the predicates: 

goah = {{x, y, 9) G R 3 | 4.4 < x < 4.6 A 1 < y < 1.6} 

goah = {(x, y, 9) G R 3 | 4.6 < x < 5.0 A 1 < y < 1.6} 

The formulas defining the scenarios are the predicates sceni 
and sceni = ~^scen\ whose truth value can be dynamically 
changed by the robot operator according to the location 
where he wants the robot to go. The fine automaton for 
the resulting specification (Figure [9| was constructed in <1 
seconds and has 4 dfa states. 




Figure 9: Fine Automaton For Switching Property 
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